Windows 10 Bug Allowed UWP Apps Full Access to File System

A bug in Windows 10 allowed UWP apps (Universal Windows Platform) to have access to the entire file system in Windows without permission from the user. This could have allowed a malicious app to access any data stored on the computer without the knowledge or consent of the user.

By default, UWP apps can only access files and folders located in the app's installation directory and its data storage locations in AppData\Local, AppData\Roaming, and the Temp folder. If an app needs to access files outsides of these locations, they can display a file/folder picker that can be used to select a file or the developer can declare extra permission for the App.

Extra permissions can be declared by adding them to app's package manifest file, which can enable access to folders such as Documents, Music, Pictures, etc. You can see an example below of how permission to the user's Pictures library is given to an app.

<Capabilities>
<uap:Capability Name="videosLibrary"/>
</Capabilities>

These permissions are then shown in the description of an app in the Microsoft Store.

Permission to access the Pictures Library

There is one permission, that a developer can give their app that gives their app access to the entire file system. This permission is called broadFileSystemAccess, which you can see being given to Microsoft Sticky Notes in the app's package manifest below.

According to the developer documentation for the broadFileSystemAccess permission, it provides access to "All files that the user has access to. For example: documents, pictures, photos, downloads, desktop, OneDrive, etc."

"This is a restricted capability. On first use, the system will prompt the user to allow access," continues the Microsoft developer documentation. "Access is configurable in Settings > Privacy > File system. If you submit an app to the Store that declares this capability, you will need to supply additional descriptions of why your app needs this capability, and how it intends to use it."

What this means is that if a developer adds this permission, on the first use of an app with this permission, Windows 10 is supposed to show a settings screen where you can enable this permission. This settings page can be found at Settings -> Privacy -> File System as shown below.

Privacy File System Settings Screen

According to Windows app developer Sébastien Lachance, a bug in Windows 10 made it so that the Settings screen above was not displayed. To make matters worse, before Build 1809 (October 2018 Update), the requirement to first enable file system access in the Settings screen was not enforced. This meant that users did not need to give explicit permission for their apps to have full file system access when the broadFileSystemAccess permission was used.

"After I installed the October 2018 Update, I realized that my app was crashing at startup. I found out that accessing my file above was crashing the app. I thought that the manifest was altered, but no. I contacted my friends at Microsoft and they confirmed me two important info:

1- The Windows dialog that is supposed to be shown the first time a file is accessed does not trigger is a *bug*.
2- Because it is a privacy issue, Microsoft decided with the October 2018 Update to set to OFF the value of the broad access file system."

Lechance discovered this bug after creating an app that utilized the broadFileSystemAccess permission in order to access data in a hard coded “C:\myAppData" location. After upgrading to the October 2018 Update, his app suddenly started crashing on startup.

This is because in Build 1809 Microsoft had started to enforce the requirement that users give permission using the Settings page before the broadFileSystemAccess permissions are allowed. Unfortunately, the October 2018 Update has been pulled as Microsoft fixes critical bugs that were discovered after it was initially released.

In order to avoid crashes that will occur when this permission is properly enforced, Lechance suggests UWP app developers trigger the following command when the app needs to access folders outside the application's normally allowed folders.

It is important to note that developers who use the broadFileSystemAccess and publish their app to the Microsoft store are supposed to provide information as to why this permission is required. From there, it would be expected that Microsoft would provide greater scrutiny when reviewing the app to determine if there was any malicious activity.

Unfortunately, as shown by a recent Ad Clicker Trojan in the Microsoft Store that pretended to be a Google Photos app from Google. Microsoft may not be performing a thorough review of submitted apps.

Bleeping Computer has contacted Microsoft for confirmation, but had not heard back at the time of this publication.

Lawrence Abrams is the creator and owner of BleepingComputer.com. Lawrence's area of expertise includes malware removal and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.

Comments

With all the threats around these days, programmers can't be that stupid. I persist! MICROSOFT did this on purpose, but sadly for them, they got caught too early to be able to exploit their vulnerability.

Came across an app not long ago that was similar to Google Photo's in the Microsoft Store, geared towards Samsung's Galaxy series. Very similar in features & design. Even asked if wanted to sync Win 10 to this new app "for easy and instant access between mobile and desktop based on your internet speed!"
Since it was not Google & saw nothing about further permission, my Security system began to investigate it in a sandbox setting as it was not "an official" release of Samsung. Everything came back clean except for the lack of any genuine feedback in it's 2 ½ month's of being available after beta testing.
But this is Microsoft Store not Google! Fully installed it & began to decide on the synchronization.
Google Photo's had not only duplicated but went for quad on many of my uploads. Trying to seperate that mess I was timed out on the PC & it had begun it's typical routine for being idle a set amount of time.
The flashing notification bar was easily ignored. The toast notification that several programs were unable to run under their normal time limit was curious & showed that the "new" program was gobbling up the metered internet connection as it tried to keep itself online & downloading from my Samsung account.
Standard close & verify with Task Manager then Maximum Scan to shutdown. Restarting went slower than normal & was barely complete when the downloading began again. Somehow it reconnected with nothing about auto start showing. Despite a lengthy process to remove & revoke connection between the two accounts, it refused to go quietly! It had a Slideshow option on the main screen that wasn't declared & ran everything across it's display.
Outraged that access was revoked & eventually the program removed, was more than sputtering to learn it had gone online with it's display. The developer even had the nerve to invite me back after a ugly review & a search for a contact to fix. Somehow Microsoft took almost a month after # of increasingly outraged messages to the Feedback Hub was it removed altogether. The Review section oddly only allows 4 to be shown at a time on Microsoft Store regardless of size. And like any other Review section, easy to ignore when you could easily learn of bogus material!!
Look closer at what you agree to & give an app permission to do! Part of inviting me to return & change my negative feedback I also had it pointed out that most of the unwanted features were listed in the description along with the unsigned agreement that by downloading then connecting to a separate account outside of Microsoft altogether, it was agreed that the app could be changed at any time to introduce new features or otherwise access content. Except instead of being mixed into the typical release wording as it was originally, it gained 2 separate line's amidst all the licensed jargon to get claimed as just a editing mistake that plainly allowed it to happen!